Another gotcha that I ran into was that my old PDC was using a local Windows built-in group (Print Operators in this case), and such mapped groups will cause the classicupgrade process to fail.

What isn’t immediately realized (or wasn’t by me) is that if you just take a brand new Samba install on a brand new server and attempt the classicupgrade process as detailed above there will be problems. The reason is that Samba PDC databases do not contain all of the information necessary to do the upgrade. The users, machines, and groups all exist in ‘nix land and are necessary to that environment.

Even though the new AD (again operating as just an AD) itself does not need the ‘nix equivalent users and groups for proper operation, the upgrade process does.

It is necessary to create the same users (including machines) and groups on the new “virgin” box. It is not necessary to match UID’s of the users or machines but the GID’s of the groups must match, and the users need to added to the groups they are members of.

Once the upgrade is complete and the AD is up and running the added ‘nix users and groups can be removed.